Zack Whittaker, the security editor at TechCrunch has an extraordinary scoop today.
He reports that medical data is being broadcast unencrypted by hospitals across the UK, as ambulances are directed to respond to 999 emergency calls.
Why unencrypted? Because the information is being sent by old-fashioned pagers – a technology that you might have thought was dead and buried long ago and replaced with smartphones.
As Whittaker explains, there are good reasons why pagers are still widely used within the National Health Service:
Pagers — or beepers — may be a relic of the past, but remain a fixture in UK hospitals.
These traditionally one-way communication devices allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network. But pagers still offer benefits where newer technologies, like cell phones, fall down. Because they work a low frequency, pager radio waves are able to travel further and deeper inside large buildings — particularly hospitals — which have thickened walls to protect others from X-rays and other radiation. Pagers also work across long distances, including in cell service dead-spots.
Although pagers encode messages before transmission, that’s a very different thing from encryption. And, apparently, all that is required to pick up and decode the messages sent via pagers is “a $20 plug-in dongle and an antenna”.
But perhaps what’s most extraordinary is how this problem of pagers leaking NHS data came to light. It wasn’t because a security researcher investigated the issue and found the sensitive data swirling around the radio spectrum. Instead, a teenager in Florida who was investigating exposed webcams broadcasting freely to the internet stumbled across a camera pointed at the screen of a radio ham in North London.
The unidentified radio enthusiast had been picking up the pager communications from a nearby NHS trust.
The hobbyist had their radio rig set up at home with their computer decoding pager messages. For some bizarre reason, they also had an unprotected webcam pointing at the computer screen.
A teenager in Florida found the exposed webcam & alerted us.
— Zack Whittaker (@zackwhittaker) October 30, 2019
According to TechCrunch, the radio enthusiast was informed of the problem by his ISP and the webcam is no longer broadcasting the sensitive data to all and sundry – no password required.
But that doesn’t mean that medical and health information does not continue to be communicated via NHS pagers, unencrypted for anyone to intercept…